Bug 930993 - In out of line truncate, restore registers in the correct order. r=jandem, a=bajaj
authorBenjamin Bouvier <benj@benj.me>
Mon, 28 Oct 2013 19:46:22 +0100
changeset 166622 e7be5919512b829fad0cb81d8768c97ed885240a
parent 166621 d364517977a73340f7be783937dd9e368adc883b
child 166623 2a3e0cf45dbfec2895f6094e2981441cedc56e97
push id3066
push userakeybl@mozilla.com
push dateMon, 09 Dec 2013 19:58:46 +0000
treeherdermozilla-beta@a31a0dce83aa [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersjandem, bajaj
bugs930993
milestone27.0a2
Bug 930993 - In out of line truncate, restore registers in the correct order. r=jandem, a=bajaj
js/src/jit-test/tests/ion/bug930993.js
js/src/jit/shared/CodeGenerator-shared.cpp
new file mode 100644
--- /dev/null
+++ b/js/src/jit-test/tests/ion/bug930993.js
@@ -0,0 +1,6 @@
+x = {};
+y = x;
+x.toString = function() {
+    Int8Array(ArrayBuffer)[0] = Float32Array(ArrayBuffer)[0];
+}
+print(x << y);
--- a/js/src/jit/shared/CodeGenerator-shared.cpp
+++ b/js/src/jit/shared/CodeGenerator-shared.cpp
@@ -747,21 +747,21 @@ CodeGeneratorShared::visitOutOfLineTrunc
     masm.setupUnalignedABICall(1, dest);
     masm.passABIArg(src);
     if (gen->compilingAsmJS())
         masm.callWithABI(AsmJSImm_ToInt32);
     else
         masm.callWithABI(JS_FUNC_TO_DATA_PTR(void *, js::ToInt32));
     masm.storeCallResult(dest);
 
-    restoreVolatile(dest);
-
     if (ool->needFloat32Conversion())
         masm.pop(src);
 
+    restoreVolatile(dest);
+
     masm.jump(ool->rejoin());
     return true;
 }
 
 void
 CodeGeneratorShared::emitPreBarrier(Register base, const LAllocation *index, MIRType type)
 {
     if (index->isConstant()) {